Password management

Kathy Durfee – CEO & Founder of Tech House joined Felicia to discuss dark web breach monitoring
Scenario: FUD report from a competitor
Perceived: Multiple users in their environment were breached. Perceived proof was report with the listing of the users and the passwords and columns that the customers did not know what that data was.
Good: Customer told their current IT service provider about the report.
FUD – Fear, Uncertainty, and Doubt – is, in the wrong hands, a powerful tool to drive snap decisions within a company. However, it is not a viable or valid sales tactic: for all it could potentially do well, causing unnecessary stress and suffering is what it does best. Speaking with Kathy Durfee, CEO and Founder of TechHouse, a managed services and solutions provider based in Florida, we walk through a recent case of FUD with a customer of hers that received a worrisome report from a potential competitor. During our chat, we covered:
The key aspects of FUD (and how it does not work)
What the Dark Web is, and the logistics of monitoring and combating it
Leadership training and best practices for helping a team best meet their security and regulation requirements
Identifying the key differences between commodified and relational partnerships, especially in the technological sphere
Shared responsibility between MSPs, their customers, and those customers’ clients
Where does dark web monitoring and dark web data risk reside on the continuum of risk? How best to mitigate?
What really is the risk and the mitigation?
Put the efforts into prevention.
Put the individual in the driver’s seat of managing the risk that is best managed by them by putting the right tools in their hands.
Resources
https://haveibeenpwned.com/
Perception of the proper allocation of the budget
Businesses must make time for training.
ITSP must include in service catalog what the client is getting in terms of services.
What do we need to do? Cross reference on tools that accomplish outcomes and cover risk mitigation and ensure that the client understands what those are.
Training is how you squeeze the juice out of the orange. Without it you may not get all the juice out of the orange or get any juice out of it at all.
Common business objections to allocating time for training
Payroll costs, but avoiding training is not legally defensible anymore.
Policies
The IT Service provider CANNOT alone write policies for you, and they CANNOT approve and enforce your organizational policies.
Four pillars
Policies
Technical controls implemented
Automation of technical controls
Reported to the business – It’s YOUR report, your organization.Shared responsibility – some months the CFO does it, some months the CEO does it.Set a schedule and do it. 3 weeks any habit; trainer or partner
Do you look at your P&L and balance sheet every month? You should be understanding the reports from IT.
 
An interesting lawyer opinion on the topic:
https://abovethelaw.com/2023/01/dark-web-monitoring-for-law-firms-is-it-worthwhile/

More than 80% of breaches occur due to credential theft. All organizations have compliance requirements to have org-owned password management systems and MFA enforcement on accounts used by employees and contractors.
Some other needs which must be met are:
Compliance attestation documentation
Proper use of the best MFA method on a per resource basis
Aligning business continuity objectives with cybersecurity objectives
Developing procedures for staff on how to use the company password manager system properly
Aligning procedures with information security policy
Developing/enhancing information security policy
End user awareness training around credentials, MFA, password management
and more
I wrote a 16-page educational guide for clients to help them understand the complexities and challenges of password manager solutions and why this is not an easy button project. This podcast is a supplement to that whitepaper.
 
See the following supporting podcasts for additional information.
https://qpcsecurity.podbean.com/e/requirements-for-premise-hosted-assets-cybersecurity-bcdr-and-more/
 
https://qpcsecurity.podbean.com/e/how-to-achieve-compliance-for-privileged-account-management/
 
https://qpcsecurity.podbean.com/e/avoid-cybersecurity-insurance-fraud/
 
Why buy from QPC
QPC provides managed clients staff onboarding and training documentation. As we update the documentation with new procedures or enhancements, we publish the new versions of the documents to the client’s IT Training SharePoint library. We also make them available through the QPC Security portal which all M365 users have access to.
QPC creates and maintains workflows for cybersecurity insurance and compliance attestation for managed clients. Compliance attestation and the maintenance of the reports and workflows to produce the compliance attestation are mandatory for cybersecurity insurance and some Federal or State regulatory compliance. As supply chain and vendor risk management becomes more prevalent, organizations will need to provide proof of these items to customers or prospective customers as part of contractual due diligence. Organizations can scramble to compile these items on their own. Managed clients benefit from QPC’s compliance preparedness.
Access to QPC’s password manager import/export/business continuity procedures. Our expertise in password manager conversions reduce friction to staff adoption of the system.
Support customized to client’s unique needs
Strategic guidance on how to best use the tool to meet the staff’s needs while being in compliance and alignment HR, information security, and company use of technology policies
Advanced security implementation services
Reduced implementation time compared to implementation by client’s in-house IT
Compliance attestation for cybersecurity insurance
HR policies which support use of the solution; employee use policies
QPC provided password security policy
Training for end users on how to setup what kind of MFA
QPC has systems for shared MFA even when OTP is not an option for a resource client staff are accessing.
Managed clients benefit from QPC’s existing R&D investment as well as ongoing enhancements of managed functionality.
No data loss or business continuity risk in doing so. At any point a client who wishes to separate from QPC can do so. This is covered in the separation area of this document.
QPC has a strong relationship with the software vendor where the feature requests we submit are typically integrated in the product in three months. We submit feature requests for functionality for managed clients.
QPC includes additional compliance modules in the subscription which are not part of the standard direct subscription. Keep this in mind when doing price comparisons.
QPC can co-term licensing for user additions
Direct software vendor support is not designed to be anything other than break/fix
Quicker response time than direct software vendor support
QPC is able to provide enterprise level support for the product whereas a direct customer would need to have a $25,000 per year support contract in order to receive a similar level of support direct from the software vendor.
QPC can be the compliance delegated admin for clients where desired. If not desired, then the client must assign and fully train the compliance manager delegated admin. Responsibilities and recurring tasks must be assigned to that person.
QPC works with managed clients to define staff user roles and assign security policies to them. Some employees should not be accessing the password vaults unless they are on company‑owned and secured systems. We define allowed platforms, security baselines, restrict data exfiltration and more.
QPC can implement additional technical controls to prevent employees from storing passwords where they should not be stored, such as browsers. We strongly recommend technical controls and ongoing cybersecurity awareness training backed by employee policies the reduce the opportunity for storing passwords related to company assets in an unapproved manner.
QPC can provide a separate end user support system for clients where they are able to contact the password manager support via email, chat, and phone. This service is not available for direct purchasers. Direct support includes only Level 1 help desk for basic user configuration or end‑user issues at the quantity of 25 per year. Free online documentation and videos is included of course.
Onboarding, new employee training, and configuration management support is not available for direct accounts.
Business continuity
Not only should all organization or company-related credentials be stored in a company-approved password management system, but at least two individuals in every department should have modify access to any shared credentials. Password management systems which meet the security requirements and are cloud-based tend to have zero trust storage methods.
Zero trust storage is a very important concept. It means is that if a second person was not granted access to that data, it may become irretrievable. It also means that unauthorized parties cannot see your passwords or the content you store with them. That includes your service provider and the password management system hosting provider.
Business continuity also comes from techniques. For example, individuals who share a job function should always have their own unique logins and MFA into a system where possible. That is the dual-‑admin approach. A great example of that is Constant Contact, bank websites, your company UPS account, marketing automation platforms, etc. Multiple people may be sharing a job function, but each person should have their own login IDs where possible.
In the cases where a website or resource does not allow for individual credentials for multiple individuals, the use of a password manager application with shared MFA allows the shared business function staff to have secure access to the same credential with MFA enforcement on the resource. This is a critical feature for security and risk mitigation.
Separation from IT service provider
In the case the client wishes to separate from QPC, they are able to convert to a direct paid account or able to migrate their licensing to another IT service provider. No data loss will occur as long as proper offboarding procedures are followed. The procedure is quite simple. First one must pay for separate licensing. Second, the master administrator account which is like a glass-break recovery account must be transferred to the new designated personnel. This is very easy to do since QPC’s standard business continuity protocol for configuration of a managed tenant involves the inclusion of this glass-break or master recovery account.

You should not put things in the cloud unless you can secure them there at least as good as a highly competent professional would have if they had that asset on premise.
Cloud hosted assets have additional risks.
Counterparty risk
Additional outage and accessibility risk
You have less control
You have less security over the human or governmental access to your content
Zero 4th Amendment protections over that data. It's fully subject to FISA searches that the provider is required to never tell you about.
Also do NOT get sucked into the scam that cloud hosting servers is more secure than if you did them on premise or somehow more cost effective. That is sheer lunacy.
SaaS can be more cost effective and more secure. Look at Office 365 as an example. That is clearly more secure, more cost effective, and more value than a premise Exchange server. SalesForce could be better for you than running your own CRM, but then you are also fully open to their crazy policies which could rip the rug out from under one of your most business critical systems.
There is no one right answer 100% of the time. Context and artistry of security strategy are exceedingly important.
This show is about these things as well as what you must have in place to have premise hosted secure assets. I describe a Tier0 asset scenario in specific and what can easily undermine it.
 
Premise hosted password managers
It is worth noting that extremely high functionality privileged access management and identity management systems are available in a premise hosted format which are a perpetual licensing model with very low annual software maintenance fees. These systems are exceptionally valuable to IT departments and QPC has extensive experience in these platforms. They are an exceptional value to IT management functions and IT departments.
However, most organizations, even those with full-time IT departments, will not meet the requirements for self-hosting. Why? In order for a self-hosted password management system to be successful, it relies upon many factors which must be in place and be fully executed with extremely high levels of skill and security. This level of skill is outside of the technical skill level of nearly all IT departments of companies with less than 5000 employees.
If the requirements are not fully met continually for the life of use of the platform, the platform and its contents are likely to be compromised. A compromise could consist of the data exfiltration of the entire password vault database which would be catastrophic to the organization.
Baseline requirements for premise password managers
Extremely tight supply chain risk network layer security rules and management
Ability to do offline upgrades for all software and systems involved
Extremely adept underlying server, network, power infrastructure management
Rapid patch management within 48 hours or less
Always on scanning for vulnerability assessment backed by active monitoring and remediation
Active monitoring
Multiple first line backups per day with multiple encrypted offsite backups per day
Two physically disparate sites with significant server, network, power infrastructure with automatic backup generator service and redundant internet
Proficiency at managing SQL server replication over WAN links in an active/active SQL server configuration
Proficiency at maintaining active/active application server configurations and automatic failover network configurations
Absolute rigorous discipline to adhere to documented standards for vault creation, password management system administration, application updates, database system updates, OS updates, third party app updates, network layer security management across the entire internal and site-to-site connected networksAny laxity in the discipline of the IT personnel managing the system will cause it to fail to deliver the security profile required for critical assets.
Minimum of two servers involved with the addition of more servers if internet facing roles such as mobile access are desired
IT personnel’s ability to implement and maintain complex privileged access management systems
Regular security compliance and audit report reviews. This will require a CISO and/or compliance officer with significant technical skill.

Cybersecurity insurance requires MFA for all internal and external administrative access. How do you accomplish this?
Examples of things you might access:
switches
firewalls
servers
printers
workstations
DNS hosting
website hosting
cloud management portals
NAS
BCDR appliances
 
There are many ways to solve this problem and they are all too long to post about here, so this is what this podcast is about.- Passwordstate remote integrated proxy authentication- tiered access control- compensating controls as an alternate for MFA- access portals with MFA- privileged admin workstations- account logon restrictions- hardened network access control restrictions (microsegmentation strategies)- more
 
https://www.clickstudios.com.au/remotesitelocations/default.aspx
 

How to avoid cybersecurity insurance fraud. If this happens to you, your claim will be denied and you will likely be uninsurable in the future including by other insurance providers.
You have to be working with an extremely operationally mature ITSP with ISOs on staff or you probably will not be able to navigate this complexity.
Great article showing a claims denial and then accompanying lawsuit for a perceived insurance fraud indicent.
https://www.insurancejournal.com/news/national/2022/07/12/675516.htm